The Project Management Book of Knowledge (PMBOK) defines program management as the application of knowledge, skills, tools, and techniques to project activities in order to meet or exceed stakeholder needs and expectations from a project. Meeting or exceeding stakeholder needs and expectations invariably involves balancing competing demands among: scope, time, cost, and quality; stakeholders with differing needs and expectations; identified requirements (needs) and unidentified requirements (expectations). The PMBOK further defines nine knowledge areas within project management including Project Risk Management. PMBOK further specifies four major processes of: risk identification, risk quantification, risk response development, and risk response control.
Program Management applies to a wide variety of projects. Classified projects are sponsored by the U.S. Government and focus on a wide variety of systems including national security, military services, and law enforcement. Sensitive projects are also relevant to these organizations but can also encompass company proprietary, intellectual property, or legal liability issues.
For any acquisition program, particularly those dealing with national security, it is vital to identify the critical elements of the program and their vulnerabilities in order to mitigate any threat. Organizations involved in classified activities are required, by law, federal statute, or organizational policy, to perform extensive Integrated System Security (ISS) engineering tasks. ISS is a set of integrated processes, applied to all aspects of a system, that identify security vulnerabilities and determine countermeasures to eliminate or mitigate unacceptable risks to a system. The purpose of any ISS program is to identify security concerns from the earliest point in an acquisition program when the value of key information or technologies is recognized and to continually assess and monitor. Early identification of critical program elements prevents exploitation of U.S. technologies and the development of countermeasures against them by foreign adversaries, and assists in the management of security risks over the entire lifecycle of the system. In the era of risk management, program managers need solid information on which to decide where scarce resources need to be allocated.
Corporations, businesses, or individuals developing new products or processes also need to consider protecting their inventions; trade secrets, and other proprietary and intellectual property that may be vulnerable to external and internal threats (e.g., industrial espionage or insider threats). Legal liability concerns also need careful scrutiny to help ensure that products cannot be tampered with in a malicious sense or used for purposes contrary to their originally intended purpose. ISS processes and procedures are equally applicable for these types of sensitive projects.
Most of this planning is subjective and requires significant individual expertise and extensive training. For government organizations, acquisition security training is provided by organizations like the Defense Acquisition University or the Defense Security Services Academy. Corporate training is typically through internally supported courses or seminars. Teaching and applying systems engineering principles to standardize embedded risk management tasks allows users to automate many of these tasks, generate necessary documentation, and overcome inexperience and training limitations.
The traditional approach to managing risk is to identify risks, quantify those risks, develop responses/countermeasures to mitigate or eliminate the risks, and to control any remaining residual risks. Typically a risk rating matrix is applied to the three areas of technical performance, schedule, and cost. These three components have been the central focus of risk management. A major component that is lacking in this model is to apply ISS and Security System Engineering principles to lifecycle protection.
Acquisition lifecycle models have been developed for the Intelligence Community (IC), the Department of Defense (DoD), National Security Space (NSS), the National Reconnaissance Office (NRO), and the National Aeronautics and Space Administration (NASA). The program protection and security aspects of these models follow the same basic methodology: what do we protect, why do we protect it, who do we protect it from, when and where do we protect it, and how do we protect it. Lifecycles are divided into phase groups, which are further divided into phases. Each phase has a set of milestones, activities, and reports. These lifecycle models represent a definitive approach to defining the process for security policies, procedures, and requirements for an entire acquisition lifecycle. Currently, security professionals would follow these processes and manually compile and process data. There was no comprehensive automated means for performing these tasks and no means for effectively managing and tracking the information. This often led to inconsistencies in the process and a lack of standardization and accountability.